Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes the procedure to create an IPsec connection between an AWS VPN Gateway and XG Firewall version 18.

Pre-requisites

  1. XG v18 firmware

    • Minimum of "EAP 3 Refresh-1" needed.

  2. Your OnPrem XG Firewall and the following information:

    • The public IP of the XG firewall.
    • The IP address space behind your XG firewall.

  3. Your Amazon AWS VPC and the following information:

    • IP address space of the VPC.

Step 1: Create AWS Customer Gateway (with XG public IP details)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.

  1. Go to the AWSPortal: https://aws.amazon.com/console/ and sign in with your credentials.
  2. Under 'Services', click on 'VPC'.



  3. Filter your VPC, for the ease of navigation.



  4. On the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
  5. Click on 'Customer Gateways'.



  6. In the "Create customer gateway" blade, configure the following:

    • Name: Specify any descriptive name.
    • Routing: Specify the mode of routing to be used. In our scenario, Select Static.
    • IP Address: Specify the public IP address of your Sophos XG firewall.
    • Certificate ARN(optional): In our scenario, no Certificate is selected.
    • Device(optional): In our scenario, no Device is selected.

  7. Click on Create Customer Gateway.



Step 2: Create a Virtual Private Gateway ( Attaching the VGW with your VPC)

  1. Select the virtual network for which you want to create a virtual network gateway.
  2. In the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
  3. Click on 'Virtual Private Gateways'.



  4. In the "Create Virtual Private Gateway" blade, configure the following:

    • Name tag: Specify a descriptive Name
    • ASN: Select the applicable option. In our scenario, select Amazon default ASN

  5. Click on Create Virtual Private Gateway.

    Note:
    To view the newly created Virtual Private Gateway, remove the filter applied on the VPC in Step 1(3). The filter needs to be removed as the VGW is not yet attached to the filtered VPC.



  6. Attach Virtual Private Gateway (VGW) to the VPC.

    • Select the newly created VGW.
    • Click on Actions and select Attach to VPC.

    Once the VGW is attached to the VPC, reapply the filter on your VPC as described in Step 1(3).



Step 3: Create the Site-to-Site VPN connection (AWS)

  1. In the left navigation pane, scroll down to Site-to-Site VPN Connections.
  2. Click on 'Create VPN Connection'.



  3. In the "Create VPN Connection" blade, configure the following:

    • Name Tag: Specify a descriptive Name for the VPN connection
    • Target Gateway Type: Select Virtual Private Gateway 
    • Virtual Private Gateway: From the drop-down box, Select the gateway created in Step 2(4) (Use your own values here, not the values shown in the screenshot)
    • Customer Gateway: Select Existing.
    • Customer Gateway ID: From the drop-down box, Select the gateway created in Step 1(4)(Use your own values here, not the values shown in the screenshot)
    • Routing Options: The routing option should match the routing mode selected in Step 1(4). In our scenario, Select Static.
    • Static IP Prefixes: Provide the remote private IP address range behind the on-premise Sophos XG firewall.(Use your own values here, not the values shown in the screenshot). Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.

    The rest of the parameters remain unchanged.

  4. Click on 'Create VPN Connection' to create the AWS VPN.



Step 4: Download and extract needed information from the configuration file (AWS)

  1. Select the newly created VPN connection and click on Download Configuration.



  2. In the "Download configuration" blade, select the following:

    • Vendor: Generic
    • Platform: Generic
    • Software: Vendor Agnostic
    • Click on "Download"



    The configuration file is downloaded in txt format. The parameters given in the downloaded file should match the Phase 1 & Phase 2 parameters in the on-prem Sophos XG IPSec policy.

Step 5: Create a route in the route table associated with your VPC

  1. In the left navigation pane:

    • Filter by VPC: Select your VPC.

  2. Navigate to VIRTUAL PRIVATE CLOUD > Route Tables.
  3. Select the associated Route Table.



  4. In the bottom navigation:

    • Select the Routes tab.
    • Click on Edit routes.



  5. Click on Add route and configure the following:

    • Destination: Private IP address range behind XG firewall.Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.
    • Target: Select the Virtual gateway created in Step 2.
    • Click on Save routes.



Step 6: Create the VPN Policy (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Create a new policy in Sophos XG matching the parameters specified in the document downloaded in the previous step.
  3. Navigate to CONFIGURE>VPN.
  4. Click on the "..." to expand the menu, and select IPsec policies.



  5. In the IPSec policies blade, configure the following:

    • Name: Specify a descriptive name
    • Key exchange: Select IKEv1
    • Authentication mode: Select Main mode



  6. Scroll down to configure the parameters for Phase 1. These should match the downloaded configuration obtained in Step 4(2).
  7. In our scenario, configure the following Phase 1 parameters on Sophos XG:

    • Key life: 28800
    • DH group (key group): 2[DH1024]
    • Encryption: AES128
    • Authentication: SHA1





  8. Scroll down to configure the parameters for Phase 2. These should match the downloaded configuration obtained in Step 4(2).
  9. In our scenario, configure the following Phase 2 parameters on Sophos XG:

    • Key life: 3600
    • DH group (key group): Same as phase-I
    • Encryption: AES128
    • Authentication: SHA1





  10. Scroll down to configure the parameters for Dead Peer Detection.

    • Enable Dead peer Detection checkmark.
    • Click Save.



Step 7: Create the VPN Connection(Sophos XG Firewall)

  1. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".



  2. Configure the following settings:

    General Settings

    • Name: Input any preferred name
    • Connection Type: Tunnel interface
    • IP Version: Dual
    • Gateway Type: Initiate the Connection
    • Activate on Save: Selected
    • Description: Add a description for the connection



    Encryption

    • Policy: Select the policy created in Step 6
    • Authentication Type: Preshared Key
    • Preshared Key: Enter the preshared key as available from the downloaded configuration obtained in Step 4(2).
    • Repeat Preshared Key: Confirm the above-preshared key



    Gateway Settings

    • Listening Interface: Select the WAN interface of the Sophos XG firewall
    • Gateway Address: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
    • Local ID: IP Address
    • Remote ID: IP Address
    • Local ID: Enter the public IP of the OnPrem Sophos XG firewall
    • Remote ID: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
    • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".



    Advanced

    • Leave default settings

  3. Click "Save".



  4. Click "OK" when prompted about the "Preshared key".

  5. The connection should now be active and in a connected state.



    (Optional) Configure a redundant tunnel to AWS gateway by repeating Step 6 using the configuration of IPSec Tunnel #2, as obtained in Step 4(2).

Step 8: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Protect", click on "Rules and Policies" → "Add Firewall Rule" → "New Firewall Rule".



  3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:

    • Rule status: ON
    • Rule Name: aws_to_onprem
    • Action: Accept
    • Rule Position: Top
    • Rule group: Automatic
    • Log firewall traffic: Selected



    Source

    • Source Zones: LAN and VPN
    • Source Networks and Devices: Any
    • During Scheduled Time: Leave default setting



    Destination & Services

    • Destination Zones: LAN and VPN
    • Destination Networks: Any
    • Services: Any



  4. Leave other settings as default.

    • You can configure the security checks of the XG for the traffic if you want to.

  5. Click on "Save".

Step 9: Configure the xfrm tunnel interface (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Configure", Click on "Network" → Under "Interfaces", click on the xfrm interface.



  3. In the "Network" configuration window, configure the following:

    • IPv4/netmask: Enter the IP address. The IP address can be found under Inside IP Addresses >Customer Gateway, as obtained from the configuration file downloaded in Step 4(2).
    • Expand "Advanced Settings"
      • Select "Override MSS" and enter the MSS value as obtained from the configuration file downloaded in Step 4(2).
    • Click on "Save".





  4. In the "Update interface" prompt, click "Update interface".

Step 10: Configure static routing to the AWS network (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Configure", click on "Routing" → Under "Static Routing", click on "Add".
  3. In the "Add unicast route" window, configure the following:

    • Destination IP/Netmask: Enter the network IP and subnet mask of your AWS virtual network
    • Gateway: To be left empty
    • Interface: Select the XG's xfrm tunnel interface
    • Distance: Leave default setting
    • Click on "Save"

Step 11: Verify the VPN connection

  1. In the AWS Portal: https://console.aws.amazon.com/, go to "Virtual Private Network(VPN") and select Site-to-Site VPN Connections.
  2. In the "VPN Connection" blade, ensure that the status of the Tunnel is "UP".


  3. Perform a connectivity test from an on-premise instance to an AWS VM.





Modified the Disclaimer
[edited by: DominicRemigio at 7:12 AM (GMT -8) on 11 Mar 2021]
  • Hi,

    I have a few questions regarding this config:

    1. How do you configure the static route in a failover situation as you can only have 1 interface linked to the static route?

    2. We seem to have issues with AWS initating a rekey before the Sophos XG does and sometime it happens in parallel. Would this be resolved by having a shorter key life than 28,800 configure in the policy?

    3. We are now getting these errors although it doesn't seem to cause an issue with traffic flow, how do we resolve this?

    CHILD_SA INVALID_ID_INFORMATION retry initiate CHILD_SA in 60 sec

    Thanks,

    Max

  • Hello. Could this Recommended Read be redone to show the entire process of creating the VPC and AWS "Create VPN Connection" part, as well as NOT have the Sophos behind a NAT device (WAN interface on a class C subnet)? Step 7 figure 4 shows the WAN interface listening on 192.168.0.75 -- but apparently I'm told I can leave the Local ID empty for both ends if my WAN interface has a public IP. I have been trying to get my VPN working for a month now and am told it must be something in the AWS side. Seeing how you do not cover the AWS side step-by-step -- it must be something there. Specifically, above, in Step 3 figure 2, you do not say whether to enter the Local and Remote IPv4 network CIDRs while creating the VPN connection on the AWS side.